So, a former employee had been using google chat to communicate with his friends. His nemisis (the bosses daughter) has been snooping around his old email account and read through all his chats. Now the hammer comes down, and obviously, the logical thing to do is clamp down everyone's access to anything unrelated to work, right?

That's what I'm trying to avoid with the technology policy. I effectively want it to say, "when you work on company property, we can see all that you are doing, so don't do dumb stuff". But I don't want to be that obvious, because now I have to sit down with the bosses daughter and write this out.

Any insight born of experience that people would care to share with me?

13 Replies

So, a former employee had been using google chat to communicate with his friends. His nemisis (the bosses daughter) has been snooping around his old email account and read through all his chats. Now the hammer comes down, and obviously, the logical thing to do is clamp down everyone's access to anything unrelated to work, right?

That's what I'm trying to avoid with the technology policy. I effectively want it to say, "when you work on company property, we can see all that you are doing, so don't do dumb stuff". But I don't want to be that obvious, because now I have to sit down with the bosses daughter and write this out.

Any insight born of experience that people would care to share with me?

Snarky answer: Act like an adult, or we'll notify the police or your mother as appropriate.

The tech security policy has to say (in legalese of course!) that the employees has no expectation of privacy on corporate systems, email or telephone service.

I'd suggest you need an "Acceptable Use Policy", should be plenty blanks and your HR kit should already have in there.

I'd also suggest that you need to be obvious with the policy, esp in the litigueous US of A, where you need to spell out everything of get slammed with an law suite of some kind by an ambulan... er lawyer. and to be fair, this is only fair.

You also may need to be able to provide evidence of any wrong doing so your logs etc will need to be tamper proof, in case it gets to any employment tribunal (or just pay the guy off !)

This is not your problem. This is an HR problem. Your responsibility is to monitor current security requirements and prevent or report violations.

If you don't currently have a specific policy in place, recommend something to HR and let them deal with it. If you have a policy in place, report the violation with supporting evidence, and let HR figure out the best way to handle the issue.

I have seen several IT people try to enforce the rules/counsel users about things like games, internet use, chat.... Discipline or lack of discipline is always up to the employee's manager and HR.

We have this required by employee agreement and again on every computer before sign on:

THIS COMPUTER IS FOR AUTHORIZED BUSINESS USE ONLY.
-----------------------------------------------------------------------------------------------------------------------------
This computer and associate network is monitored by Company Name.
Users (authorized or unauthorized) have no explicit or implicit expectation
of privacy. Any or all uses of this system and files may be intercepted,
monitored, recorded, copied, audited, inspected, disclosed to management
of Company Name and law enforcement personnel, as well as authorized officials
of other agencies. By clicking OK the user consents to such interception, monitoring,
recording, copying, auditing, inspecting, and disclosure at the discretion
of the management of Company Name. Unauthorized or improper use of
this system may result in administrative disciplinary action to include
termination with cause and civil and criminal penalties. By continuing to
use this system you indicate your awareness of these terms and
conditions of use.
-----------------------------------------------------------------------------------------------------------------------------
LOG OFF AND REPORT TO YOUR SUPERVISOR IMMEDIATELY IF
YOU DO NOT AGREE TO THE CONDITIONS STATED IN THIS WARNING!
THIS COMPUTER IS NOT FOR PERSONAL USE.

We have a tendency to try and make special rules for issues when a computer is involved, when really, the computer isn't the problem.

If someone is spending hours socializing at the water cooler instead of getting their work done, that's exactly the same problem as spending hours on Facebook instead of getting their work done.

The fact that a computer is involved in one and not the other doesn't change the underlying issue, which is that the user isn't getting their work done because they're spending a lot of time socializing.

Instead of requiring elaborate, detailed rules about exactly what behaviors are allowed and not allowed, just enforce existing policies that say no richarding around on work time.

My suggestion is to have HR draft it, and you go over it, rather than the other way around. While this is a technology policy, it's a generic one that requires no technical knowledge to put together, and should fit HR's needs before yours.

In short, as others said:

You have no expectation of privacy at work, use of work equipment for personal use is not permitted and may be punishable by disciplinary action up to and including termination.

This is all encompassing, PC, Phone, Copier, Coffee Machine, TV, Chairs, etc. So it's not just a technology thing.

So, a former employee had been using google chat to communicate with his friends. His nemisis (the bosses daughter) has been snooping around his old email account and read through all his chats.

So has she been reading through his personal gmail account to get at these chats or was he using a work gmail account [apps or similar] to chat with people?

If it's the personal gmail, I would be very careful. Reading log files is one thing, her getting into personal accounts is another. You have no expectation of privacy when using your personal email at work on a work machine [screen recording / key logger etc.] but that would not stretch to someone else gaining access to it, as far as I know. IANAL but that could be a problem for anyone involved.

No, his friends would gchat his work account. She aided in the IT while they were in-between it folks. Our needs are fairly simple, and she's an admin on the google apps system.

Martin2012, thanks for giving me the right terminology.

A number of you have stated that this is an HR problem. We don't have much of an HR department, but I would agree if you said that it is a management problem (of an employee who left months ago, but I digress). Still, we don't have any sort of policy in place, so this was really inevitable.

I've done security policies for smaller organizations before, but they were really painful, banal things that you simply had to have on file for legal reasons. Here, the acceptable use policy will have my name on it, and will follow me around for quite some time, so I want to get it right.

Here in Norway, a corporation's management was reported to the police after reading through several employers' email. The thing is, even if it was in the company's email system, the subject line etc indicated that the email was of a private kind. Therefore, the manger should not have read it, as it was not relevant to the company, and the user clearly had somehow expected privacy.

Your writen policy will have to be clear on this matter, if you are ever to look through any of the users stuff.

BTW, why was it a problem that the user had chatted with the company account? I mean, I wouldn't want my users to do that, but foremost because it is unprofessional.

Depending on what sort of industry you are in, there may be some specific legal requirements of things you need to have, things you cannot have & so on. If your company is in any sort of industry based group or association it may be worth seeing if they have recommendations or draft paperwork.

1st Post

ok I have had to do this at my last two jobs and basically you want to say you can monitor at any time but it has to come from the direct supervisor to issue a monitoring of usage. Then you wan to put in there the old you use the computer for work only. I had a lot of blow back by people saying well who monitors him” and “will he just be spying on us” and I had to clarify that I don’t watch until they give me reason so don’t give them a reason to make me watch ad report it to your boss. It is an HR issue most of the time but when it comes to IT most HR people will defer to you as IT just because most(not all) don’t want to touch anything in IT